Cyber Investigations and Privacy Litigation

Hunton Andrews Kurth LLP is uniquely qualified to represent clients in the assessment, investigation and litigation of matters arising from cybersecurity and data breach incidents. The firm has assisted clients with more than 2,000 data breaches and cybersecurity events worldwide and has defended our clients in some of the largest, most high-profile litigations. We assist our clients with every aspect of an information security event, including (i) directing incident investigations; (ii) retaining and overseeing cybersecurity consultants; (iii) mitigating financial loss and loss of confidential information; (iv) coordinating notification to affected individuals; (v) setting up call centers and training call center personnel; (vi) preparing for litigation, including advising on retention obligations; (vii) engaging with law enforcement officials and other government (federal, state and overseas) regulators; and (viii) defending resulting enforcement actions and litigation.

We regularly serve as liaisons to the FBI, US Secret Service, US Department of Justice, Federal Trade Commission and state attorneys general on behalf of our clients in these matters. We also routinely engage on our clients’ behalf with foreign data protection authorities in their investigations and enforcement actions. Our lawyers have represented clients throughout the US in federal and state courts, and globally before regulatory agencies and in alternative dispute resolution proceedings. These matters arise out of data security events asserted by regulators, consumers, our clients’ business partners and other parties. Our experience assisting clients with highly complex, large-scale cybersecurity events is internationally acclaimed.

Our lawyers work as part of a multidisciplinary team that is frequently involved immediately after a cybersecurity incident to help clients evaluate and manage all aspects of the event, often with our lawyers leading the investigation, coordinating the global legal analysis and notification to affected individuals and regulators, and generally coordinating the panoply of incident response activities. Information security matters implicate multiple risks and response issues. Because of that complexity, we represent our clients with an interdisciplinary and coordinated team that includes our internationally recognized Privacy and Cybersecurity practice.

Representative experience includes the following:

  • We are representing Yahoo! in all aspects of its nation-state and criminal cybersecurity attacks that compromised approximately 3 billion user accounts. We are defending the company in over 40 consumer class actions across several districts. The federal suits have been consolidated by the Multi-District Litigation Panel in California while the state cases are proceeding before a California judge. We are handling all consumer class action lawsuits and are defending Yahoo! and its affiliate. The firm directed the forensic investigation, and is providing regulatory and litigation counsel and preparing litigation coordination strategies for Yahoo!
  • We are defending a putative nationwide class action litigation regarding the alleged exposure of current and former employees’ personal information due to a spear-phishing attack.
  • We are representing a global networking equipment manufacturer in an ongoing non-public investigation into data security practices related to networked devices.
  • We are advising a large global manufacturer of mobile devices on its response to an extensive FTC inquiry issued to the company and seven other mobile device companies regarding their security updates process.
  • We represented a personal device manufacturer in a class action lawsuit stemming from alleged violations of customer privacy concerns. The lawsuit alleged that the company collected personal data from its products sold to customers, including the plaintiff alleging violations of the US federal Wiretap Act, the Illinois wiretapping law, the Illinois Consumer Fraud and Deceptive Business Practices Act, and common law and equitable claims. We prepared a motion to dismiss but then sought early mediation and were able to agree to successfully settle for monetary and injunctive relief.
  • We assisted a major retailer in managing its investigation of and response to its cybersecurity incident that occurred in the wake of major breaches in the industry. We oversaw an extensive forensic investigation with external consultants, coordinated with law enforcement, assisted with state attorney general investigations, oversaw an extensive and lengthy FTC investigation (successfully avoiding an FTC enforcement action), and advised on significant class action litigation.
  • We defended an international hotel group against a lawsuit alleging a data breach and privacy violations for theft of personally identifiable information.
  • We represented a financial institution client that was victimized by a sophisticated internationally organized crime ring, which breached the client’s network and perpetrated a large-scale theft utilizing the ATM network. We led the investigation of the cyber intrusion, worked with US and international law enforcement agencies, managed communications with financial institution regulators, assisted the client in assessing and responding to litigation risks from customers and other third parties, and successfully resolved the ensuing class actions litigations.
  • We assisted a large health care plan with a data security incident involving 1.2 million individuals. The firm assisted the company with its response to the breach, including the forensic investigation, and advised on compliance with relevant regulatory obligations, such as notification to affected individuals, media outlets and state agencies. The firm also managed a state attorney general investigation and handled a precedent-setting class action lawsuit resulting from the incident.
  • We defended a retail merchant client in all aspects of a significant point-of-sale system data breach, including notification to affected individuals, media outlets and state agencies, as well as an FTC investigation and interactions with law enforcement authorities and class action litigation.
  • We advise numerous retailers on privacy and data security advice concerning claims that arose from a significant skimming incident in which payment cards were compromised. We also manage state and federal government investigations and federal law enforcement cooperative activities.
  • We have counseled multiple clients in cyber-extortion matters and other incidents where our clients have been criminally victimized, and we have coordinated with law enforcement on behalf of our clients in such matters.

Insights